Wanted to follow up in case anyone else hits this.
Whats my problem was: Steam was downloading via Comcast's servers instead of its own and Comcast's end up using 443 for whatever reason (RIP cache).
Solution: Nothing simple, I ended up leaving sniproxy disabled. Some steam images wont load, but it's otherwise unimpactful. If you're caching something that needs sniproxy, I don't have a solution for you, but I suspect it'd work if you can somehow make sniproxy or the dns blackhole the comcast IP's.
To confirm you have the same issue I do, you'll see this in sniproxy log: https://gist.github.com/MatthewM/f5be266da56219ba1f1a61327ab4ee65
Other threads on the issue I came across:
https://github.com/uklans/cache-domains/pull/19 https://github.com/steamcache/steamcache-dns/issues/47